This blog is part of a series which is related to setting up Cloud Identity to authenticate Cloud Portal in different scenarios.
|Setting up Authentication for Cloud Portal using Cloud Identity|
In the previous blog, we saw how to create roles and assign them manually to users within the Cloud Portal.In real world scenario, it is unlikely that we would be adding each user to these custom HCP roles. Assume, if there are 1000’s of users and managing this assignment within the Cloud Portal configuration section would become cumbersome. In this blog, I am going to show how we can map users to groups and manage this more efficiently.
Creation of Groups in HCP Cockpit
When dealing with large user volumes, it is recommended to have groups to manage the user access. Navigate to the “Authorization” menu of the HCP cockpit and create two groups – Employee & Manager. Assign the respective HCP roles as shown below.
Navigate to the Cloud Portal Configuration section and un-assign the users from the Employee and Manager role. Notice that the assigned groups for a particular role shows up on the right-hand side.
Creation of Groups in Cloud Identity
Login to SCI as an administrator click on “User Groups” tile
Add two groups – one for Employee and other for Manager.
Navigate back to the “User Management” tile and edit the Employee User to assign this user to the newly created SCI User Group.
Repeat the same for Manager User and assign this user to Manager Group created in SCI.
Configure application in Cloud Identity
Navigate to the “Applications” tiles and select the HCP account which has been setup as the service provider. Under SAML 2.0 section, click on “Assertion Attributes”.
Add a new attribute called “groups” as shown below and save your changes.
Navigate to the Trust settings in HCP Cockpit and click on the linked SCI tenant.
This should bring up a popup screen with Attributes and Groups tab. Select the “Groups” tab and click on “Add Assertion-Based Group”.
On the left-hand side, the employee group refers to the HCP employee group. This needs to be mapped with the SCI group called “Employee_SCI_Group”. Under Mapping Rule, we have added groups as this was set in the Assertion attributes previously.
Save your changes and try to launch the Portal site as a Manager. You should be presented with the Apps relevant for Manager role.
In the next blog, we shall see how to setup and use Two-Factor Authentication (2FA) in SCI to access the Cloud Portal.